3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

General

Target

VBS_ed167804673b6f89dc6657e71ae971c4.8
Sample

191122-j7277r816x
SHA256

3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1420	1936	WScript.exe	26
PID 1420 wrote to memory of 1356	1420	wscript.exe	27
PID 1356 wrote to memory of 1712	1356	wscript.exe	28
PID 1712 wrote to memory of 272	1712	wscript.exe	29
PID 272 wrote to memory of 1828	272	wscript.exe	30
PID 1828 wrote to memory of 2004	1828	wscript.exe	31
PID 2004 wrote to memory of 1920	2004	wscript.exe	32
PID 1920 wrote to memory of 1172	1920	wscript.exe	33
PID 1172 wrote to memory of 1332	1172	wscript.exe	34
PID 1332 wrote to memory of 1356	1332	wscript.exe	35
PID 1356 wrote to memory of 1116	1356	wscript.exe	36
PID 1116 wrote to memory of 796	1116	wscript.exe	37
PID 796 wrote to memory of 1888	796	wscript.exe	38
PID 1888 wrote to memory of 2008	1888	wscript.exe	39
PID 2008 wrote to memory of 864	2008	wscript.exe	40
PID 864 wrote to memory of 1120	864	wscript.exe	41
PID 1120 wrote to memory of 1956	1120	wscript.exe	42
PID 1956 wrote to memory of 1996	1956	wscript.exe	43
PID 1996 wrote to memory of 888	1996	wscript.exe	44
PID 888 wrote to memory of 1272	888	wscript.exe	45
PID 1272 wrote to memory of 2040	1272	wscript.exe	46
PID 2040 wrote to memory of 1124	2040	wscript.exe	47
PID 1124 wrote to memory of 1968	1124	wscript.exe	48
PID 1968 wrote to memory of 1904	1968	wscript.exe	49

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/272-3-0x00000000028E0000-0x00000000028E4000-memory.dmp

Filesize
16KB

Download
memory/864-12-0x00000000028F0000-0x00000000028F4000-memory.dmp

Filesize
16KB

Download
memory/888-16-0x00000000028F0000-0x00000000028F4000-memory.dmp

Filesize
16KB

Download
memory/1116-9-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/1120-13-0x0000000002990000-0x0000000002994000-memory.dmp

Filesize
16KB

Download
memory/1124-19-0x0000000002950000-0x0000000002954000-memory.dmp

Filesize
16KB

Download
memory/1172-6-0x0000000002780000-0x0000000002784000-memory.dmp

Filesize
16KB

Download
memory/1272-17-0x0000000002890000-0x0000000002894000-memory.dmp

Filesize
16KB

Download
memory/1332-7-0x00000000028F0000-0x00000000028F4000-memory.dmp

Filesize
16KB

Download
memory/1356-8-0x00000000029A0000-0x00000000029A4000-memory.dmp

Filesize
16KB

Download
memory/1420-1-0x0000000002890000-0x0000000002894000-memory.dmp

Filesize
16KB

Download
memory/1712-2-0x00000000027E0000-0x00000000027E4000-memory.dmp

Filesize
16KB

Download
memory/1888-10-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/1920-5-0x0000000002790000-0x0000000002794000-memory.dmp

Filesize
16KB

Download
memory/1936-0-0x0000000002920000-0x0000000002924000-memory.dmp

Filesize
16KB

Download
memory/1956-14-0x0000000002820000-0x0000000002824000-memory.dmp

Filesize
16KB

Download
memory/1968-20-0x0000000002960000-0x0000000002964000-memory.dmp

Filesize
16KB

Download
memory/1996-15-0x0000000002850000-0x0000000002854000-memory.dmp

Filesize
16KB

Download
memory/2004-4-0x00000000028E0000-0x00000000028E4000-memory.dmp

Filesize
16KB

Download
memory/2008-11-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/2040-18-0x0000000002960000-0x0000000002964000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads